The following Fedora 24 Security updates need testing:
Age URL
182
https://bodhi.fedoraproject.org/updates/FEDORA-2016-26f9817b08
squid-3.5.23-1.fc24
175
https://bodhi.fedoraproject.org/updates/FEDORA-2016-eaaa9c4a08 exim-4.87.1-1.fc24
138
https://bodhi.fedoraproject.org/updates/FEDORA-2017-ece16ba6ba
runc-1.0.0-5.rc2.gitc91b5be.fc24
74
https://bodhi.fedoraproject.org/updates/FEDORA-2017-8330a48ca2
python-XStatic-jquery-ui-1.12.0.1-1.fc24
13
https://bodhi.fedoraproject.org/updates/FEDORA-2017-5f1006afb1
libstaroffice-0.0.3-3.fc24
13
https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1f4c48c68
nodejs-brace-expansion-1.1.7-1.fc24
10
https://bodhi.fedoraproject.org/updates/FEDORA-2017-e4638a345c
tomcat-8.0.44-1.fc24
4
https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbae64fdc2
libmwaw-0.3.11-3.fc24
2
https://bodhi.fedoraproject.org/updates/FEDORA-2017-b154ff2892
mercurial-3.7.3-2.fc24
1
https://bodhi.fedoraproject.org/updates/FEDORA-2017-c2e1dc46a1
chromium-59.0.3071.104-1.fc24
1
https://bodhi.fedoraproject.org/updates/FEDORA-2017-bff00a1c35
thunderbird-52.2.0-1.fc24
1
https://bodhi.fedoraproject.org/updates/FEDORA-2017-87aa9db27f
firefox-54.0-2.fc24
0
https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8d76bef4e
chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc24
0
https://bodhi.fedoraproject.org/updates/FEDORA-2017-4932c9b886
c-ares-1.13.0-1.fc24
0
https://bodhi.fedoraproject.org/updates/FEDORA-2017-698daef73c
glibc-2.23.1-12.fc24
The following Fedora 24 Critical Path updates have yet to be approved:
Age URL
61
https://bodhi.fedoraproject.org/updates/FEDORA-2017-e1905fd566 koji-1.12.0-2.fc24
6
https://bodhi.fedoraproject.org/updates/FEDORA-2017-07fed9b000
libteam-1.27-1.fc24
3
https://bodhi.fedoraproject.org/updates/FEDORA-2017-ce8c7053eb audit-2.7.7-1.fc24
1
https://bodhi.fedoraproject.org/updates/FEDORA-2017-87aa9db27f
firefox-54.0-2.fc24
1
https://bodhi.fedoraproject.org/updates/FEDORA-2017-bff00a1c35
thunderbird-52.2.0-1.fc24
0
https://bodhi.fedoraproject.org/updates/FEDORA-2017-698daef73c
glibc-2.23.1-12.fc24
The following builds have been pushed to Fedora 24 updates-testing
bugwarrior-1.5.1-3.fc24
c-ares-1.13.0-1.fc24
casync-1-2.fc24
catdoc-0.95-1.fc24
chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc24
copy-jdk-configs-2.2-3.fc24
duplicity-0.7.13.1-1.fc24
glibc-2.23.1-12.fc24
gnome-documents-3.20.2-1.fc24
golang-github-AudriusButkevicius-pfilter-0.0.1-1.fc24
golang-github-ccding-go-stun-0.1.0-1.fc24
gsmartcontrol-1.0.1-1.fc24
meson-0.41.1-1.fc24
pari-2.7.6-2.fc24
perl-CPAN-Perl-Releases-3.24-1.fc24
perl-Module-CoreList-5.20170621-1.fc24
php-fig-link-util-1.0.0-1.fc24
php-psr-link-1.0.0-1.fc24
php-zendframework-zend-session-2.7.4-1.fc24
qgit-2.7-1.fc24
scap-workbench-1.1.5-1.fc24
strongswan-5.5.3-1.fc24
trader-7.11-1.fc24
unicode-emoji-5.0-1.fc24
Details about builds:
================================================================================
bugwarrior-1.5.1-3.fc24 (FEDORA-2017-c363da2002)
Sync github, bitbucket, and trac issues with taskwarrior
--------------------------------------------------------------------------------
Update Information:
Add requirement on python2-configparser ---- Drop the egg constraint against
our version of `future`. ---- Latest upstream with a bazillion changes.
Please make sure it actually works for you before providing karma. :)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1460529 - pkg_resources.DistributionNotFound: The 'future!=0.16.0'
distribution was not found and is required by bugwarrior
https://bugzilla.redhat.com/show_bug.cgi?id=1460529
--------------------------------------------------------------------------------
================================================================================
c-ares-1.13.0-1.fc24 (FEDORA-2017-4932c9b886)
A library that performs asynchronous DNS operations
--------------------------------------------------------------------------------
Update Information:
CVE-2017-1000381: c-ares NAPTR parser out of bounds access
--------------------------------------------------------------------------------
================================================================================
casync-1-2.fc24 (FEDORA-2017-475890e856)
Content Addressable Data Synchronizer
--------------------------------------------------------------------------------
Update Information:
New package, see
http://0pointer.net/blog/casync-a-tool-for-distributing-file-
system-images.html. ---- New package, see
http://0pointer.net/blog/casync-a
-tool-for-distributing-file-system-images.html.
--------------------------------------------------------------------------------
================================================================================
catdoc-0.95-1.fc24 (FEDORA-2017-159e0b5e7c)
A program which converts Microsoft office files to plain text
--------------------------------------------------------------------------------
Update Information:
Update to 0.95. Resolves legal issue with unicode files.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1295166 - catdoc included non-free text
https://bugzilla.redhat.com/show_bug.cgi?id=1295166
--------------------------------------------------------------------------------
================================================================================
chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc24 (FEDORA-2017-b8d76bef4e)
Google Native Client Toolchain
--------------------------------------------------------------------------------
Update Information:
Chromium 59. Add smaller logo files. Fix lots of security bugs: Security fix for
CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074,
CVE-2017-5075, CVE-2017-5086, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078,
CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083,
CVE-2017-5085
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1459037 - CVE-2017-5085 chromium-browser: inappropriate javascript execution
on webui pages
https://bugzilla.redhat.com/show_bug.cgi?id=1459037
[ 2 ] Bug #1459036 - CVE-2017-5083 chromium-browser: ui spoofing in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1459036
[ 3 ] Bug #1459035 - CVE-2017-5082 chromium-browser: insufficient hardening in credit
card editor
https://bugzilla.redhat.com/show_bug.cgi?id=1459035
[ 4 ] Bug #1459034 - CVE-2017-5081 chromium-browser: extension verification bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1459034
[ 5 ] Bug #1459033 - CVE-2017-5080 chromium-browser: use after free in credit card
autofill
https://bugzilla.redhat.com/show_bug.cgi?id=1459033
[ 6 ] Bug #1459032 - CVE-2017-5079 chromium-browser: ui spoofing in blink
https://bugzilla.redhat.com/show_bug.cgi?id=1459032
[ 7 ] Bug #1459031 - CVE-2017-5078 chromium-browser: possible command injection in
mailto handling
https://bugzilla.redhat.com/show_bug.cgi?id=1459031
[ 8 ] Bug #1459030 - CVE-2017-5077 chromium-browser: heap buffer overflow in skia
https://bugzilla.redhat.com/show_bug.cgi?id=1459030
[ 9 ] Bug #1459029 - CVE-2017-5076 chromium-browser: address spoofing in omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1459029
[ 10 ] Bug #1459028 - CVE-2017-5086 chromium-browser: address spoofing in omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1459028
[ 11 ] Bug #1459027 - CVE-2017-5075 chromium-browser: information leak in csp reporting
https://bugzilla.redhat.com/show_bug.cgi?id=1459027
[ 12 ] Bug #1459025 - CVE-2017-5074 chromium-browser: use after free in apps bluetooth
https://bugzilla.redhat.com/show_bug.cgi?id=1459025
[ 13 ] Bug #1459024 - CVE-2017-5073 chromium-browser: use after free in print preview
https://bugzilla.redhat.com/show_bug.cgi?id=1459024
[ 14 ] Bug #1459023 - CVE-2017-5072 chromium-browser: address spoofing in omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1459023
[ 15 ] Bug #1459022 - CVE-2017-5071 chromium-browser: out of bounds read in v8
https://bugzilla.redhat.com/show_bug.cgi?id=1459022
[ 16 ] Bug #1459021 - CVE-2017-5070 chromium-browser: type confusion in v8
https://bugzilla.redhat.com/show_bug.cgi?id=1459021
--------------------------------------------------------------------------------
================================================================================
copy-jdk-configs-2.2-3.fc24 (FEDORA-2017-f5334c3d4d)
JDKs configuration files copier
--------------------------------------------------------------------------------
Update Information:
Added uspport for jdk9, silcenced yum warnings, excluded debug subpackages
--------------------------------------------------------------------------------
================================================================================
duplicity-0.7.13.1-1.fc24 (FEDORA-2017-86356e6386)
Encrypted bandwidth-efficient backup using rsync algorithm
--------------------------------------------------------------------------------
Update Information:
https://launchpad.net/duplicity/0.7-series/0.7.13.1 ----
https://launchpad.net/duplicity/0.7-series/0.7.13
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1462570 - duplicity-0.7.13.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1462570
[ 2 ] Bug #1460834 - duplicity-0.7.13 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1460834
--------------------------------------------------------------------------------
================================================================================
glibc-2.23.1-12.fc24 (FEDORA-2017-698daef73c)
The GNU libc libraries
--------------------------------------------------------------------------------
Update Information:
This update addresses CVE-2017-1000366, a vulnerability in the dynamic linker
allowing local privilege escalation.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1462820 - CVE-2017-1000366 glibc: heap/stack gap jumping via unbounded stack
allocations [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1462820
--------------------------------------------------------------------------------
================================================================================
gnome-documents-3.20.2-1.fc24 (FEDORA-2017-07c6b62d05)
A document manager application for GNOME
--------------------------------------------------------------------------------
Update Information:
* Use LOKDocView for pre-OOXML MS Office formats * Don't offer to open in file-
roller * Pass the correct number of arguments to LOKDocView.View.new * Don't
steal space keypress in preview * Don't leak the URI when thumbnailing * Make
sure that load jobs are cancelled * Enable printing only for documents that
support it
--------------------------------------------------------------------------------
================================================================================
golang-github-AudriusButkevicius-pfilter-0.0.1-1.fc24 (FEDORA-2017-3ca1322aa6)
Simple Packet Filtering package written in Go
--------------------------------------------------------------------------------
Update Information:
Bump to version 0.0.1 (no code changes).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1462575 - golang-github-AudriusButkevicius-pfilter-0.0.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1462575
--------------------------------------------------------------------------------
================================================================================
golang-github-ccding-go-stun-0.1.0-1.fc24 (FEDORA-2017-cd59511689)
STUN client (RFC 3489 and RFC 5389) implementation in Go
--------------------------------------------------------------------------------
Update Information:
Bump to version 0.1.0 (no code changes).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1462718 - golang-github-ccding-go-stun-0.1.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1462718
--------------------------------------------------------------------------------
================================================================================
gsmartcontrol-1.0.1-1.fc24 (FEDORA-2017-fcde4bf967)
Graphical user interface for smartctl
--------------------------------------------------------------------------------
Update Information:
Update to 1.0.1. Switch to GTK3.
--------------------------------------------------------------------------------
================================================================================
meson-0.41.1-1.fc24 (FEDORA-2017-74af926adb)
High productivity build system
--------------------------------------------------------------------------------
Update Information:
# New features ## Dependency Handler for LLVM Native support for linking
against LLVM using the `dependency` function. ## vcs_tag keyword fallback is is
now optional The `fallback` keyword in `vcs_tag` is now optional. If not given,
its value defaults to the return value of `meson.project_version()`. ## Better
quoting of special characters in ninja command invocations The ninja backend
now quotes special characters that may be interpreted by ninja itself, providing
better interoperability with custom commands. This support may not be perfect;
please report any issues found with special characters to the issue tracker. ##
Pkgconfig support for custom variables The Pkgconfig module object can add
arbitrary variables to the generated .pc file with the new `variables` keyword:
pkg.generate(libraries : libs, subdirs : h,
version : '1.0', name : 'libsimple',
filebase
: 'simple', description : 'A simple demo library.',
variables : ['datadir=${prefix}/data']) ## A target for creating tarballs
Creating distribution tarballs is simple: ninja dist This will create a
`.tar.xz` archive of the source code including submodules without any revision
control information. This command also verifies that the resulting archive can
be built, tested and installed. This is roughly equivalent to the distcheck
target in other build systems. Currently this only works for projects using Git
and only with the Ninja backend. ## Support for passing arguments to Rust
compiler Targets for building rust now take a `rust_args` keyword. ## Code
coverage export for tests Code coverage can be generated for tests by passing
the `--cov` argument to the `run_tests.py` test runner. Note, since multiple
processes are used, coverage must be combined before producing a report
(`coverage3 combine`). ## Reproducible builds All known issues have been fixed
and Meson can now build reproducible Debian packages out of the box. $$
Extended template substitution in configure_file The output argument of
`configure_file()` is parsed for `@BASENAME@` and @PLAINNAME@` substitutions.
## Cross-config property for overriding whether an exe wrapper is needed The
new `needs_exe_wrapper` property allows overriding auto-detection for cases
where `build_machine` appears to be compatible with `host_machine`, but actually
isn't. For example when: - `build_machine` is macOS and `host_machine` is the
iOS Simulator - the `build_machine's libc is glibc but the `host_machine` libc
is uClibc - code relies on kernel features not available on the `build_machine`
## Support for capturing stdout of a command in configure_file
`configure_file()` now supports a new keyword - `capture`. When this argument is
set to true, Meson captures `stdout` of the `command` and writes it to the
target file specified as output.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1461420 - meson-0.41.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1461420
--------------------------------------------------------------------------------
================================================================================
pari-2.7.6-2.fc24 (FEDORA-2017-36e79fe180)
Number Theory-oriented Computer Algebra System
--------------------------------------------------------------------------------
Update Information:
This update is a cumulative bugfix release from upstream and adds the missing
desktop icon for Pari/GP.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1462987 - The icon referred to in the desktop file is missing from rpm
https://bugzilla.redhat.com/show_bug.cgi?id=1462987
--------------------------------------------------------------------------------
================================================================================
perl-CPAN-Perl-Releases-3.24-1.fc24 (FEDORA-2017-252195c0ca)
Mapping Perl releases on CPAN to the location of the tarballs
--------------------------------------------------------------------------------
Update Information:
Updated to the latest version
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1463229 - perl-CPAN-Perl-Releases-3.24 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1463229
--------------------------------------------------------------------------------
================================================================================
perl-Module-CoreList-5.20170621-1.fc24 (FEDORA-2017-8dfa6c1eae)
What modules are shipped with versions of perl
--------------------------------------------------------------------------------
Update Information:
Updated to the latest version
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1463240 - perl-Module-CoreList-5.20170621 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1463240
--------------------------------------------------------------------------------
================================================================================
php-fig-link-util-1.0.0-1.fc24 (FEDORA-2017-622a500d85)
Common utility implementations for HTTP links
--------------------------------------------------------------------------------
Update Information:
# php-psr-link This package holds all interfaces/classes/traits related to
[
PSR-13](https://github.com/php-fig/fig-
standards/blob/master/accepted/PSR-13-links.md). Note that this is not an HTTP
link implementation of its own. It is merely an interface that describes an HTTP
link. See the specification for more details. # php-fig-link-util This package
includes common utilities to assist with implementing [PSR-13](http://www.php-
fig.org/psr/psr-13/). Note that it is not intended as a complete PSR-13
implementation, only a partial implementation to make writing other
implementations easier.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1460523 - Review Request: php-psr-link - Common interfaces for HTTP links
(PSR-13)
https://bugzilla.redhat.com/show_bug.cgi?id=1460523
[ 2 ] Bug #1460524 - Review Request: php-fig-link-util - Common utility implementations
for HTTP links
https://bugzilla.redhat.com/show_bug.cgi?id=1460524
--------------------------------------------------------------------------------
================================================================================
php-psr-link-1.0.0-1.fc24 (FEDORA-2017-622a500d85)
Common interfaces for HTTP links (PSR-13)
--------------------------------------------------------------------------------
Update Information:
# php-psr-link This package holds all interfaces/classes/traits related to
[
PSR-13](https://github.com/php-fig/fig-
standards/blob/master/accepted/PSR-13-links.md). Note that this is not an HTTP
link implementation of its own. It is merely an interface that describes an HTTP
link. See the specification for more details. # php-fig-link-util This package
includes common utilities to assist with implementing [PSR-13](http://www.php-
fig.org/psr/psr-13/). Note that it is not intended as a complete PSR-13
implementation, only a partial implementation to make writing other
implementations easier.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1460523 - Review Request: php-psr-link - Common interfaces for HTTP links
(PSR-13)
https://bugzilla.redhat.com/show_bug.cgi?id=1460523
[ 2 ] Bug #1460524 - Review Request: php-fig-link-util - Common utility implementations
for HTTP links
https://bugzilla.redhat.com/show_bug.cgi?id=1460524
--------------------------------------------------------------------------------
================================================================================
php-zendframework-zend-session-2.7.4-1.fc24 (FEDORA-2017-e59a58ced4)
Zend Framework Session component
--------------------------------------------------------------------------------
Update Information:
**Version 2.7.4** - 2017-06-19 * Fixed -
[#66](https://github.com/zendframework/zend-session/pull/66) fixes how the
`Cache` save handler's `destroy()` method works, ensuring it does not attempt
to remove an item by `$id` if it does not already exist in the cache. -
[#79](https://github.com/zendframework/zend-session/pull/79) updates the
signature of `AbstractContainer::offsetGet()` to match
`Zend\Stdlib\ArrayObject` and return by reference, fixing an issue when running
under PHP 7.1+.
--------------------------------------------------------------------------------
================================================================================
qgit-2.7-1.fc24 (FEDORA-2017-6ca981e9cf)
GUI browser for git repositories
--------------------------------------------------------------------------------
Update Information:
- updated to 2.7 - full changelog at
http://libre.tibirna.org/projects/qgit/wiki/27
--------------------------------------------------------------------------------
================================================================================
scap-workbench-1.1.5-1.fc24 (FEDORA-2017-d24e7b2c54)
Scanning, tailoring, editing and validation tool for SCAP content
--------------------------------------------------------------------------------
Update Information:
Updated to new upstream release 1.1.5
--------------------------------------------------------------------------------
================================================================================
strongswan-5.5.3-1.fc24 (FEDORA-2017-bc01c6ca93)
An OpenSource IPsec-based VPN and TNC solution
--------------------------------------------------------------------------------
Update Information:
Updated to 5.5.3
--------------------------------------------------------------------------------
================================================================================
trader-7.11-1.fc24 (FEDORA-2017-afdec15340)
Star Traders, a simple game of interstellar trading
--------------------------------------------------------------------------------
Update Information:
Update to trader 7.11, a bug-fix release ---- Add the Star Traders package, a
simple game of interstellar trading
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1462477 - trader-7.11 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1462477
[ 2 ] Bug #812758 - Review Request: trader - Star Traders, a simple game of interstellar
trading
https://bugzilla.redhat.com/show_bug.cgi?id=812758
--------------------------------------------------------------------------------
================================================================================
unicode-emoji-5.0-1.fc24 (FEDORA-2017-f8c68a2f1d)
Unicode Emoji Data Files
--------------------------------------------------------------------------------
Update Information:
update to Unicode Emoji Data 5.0
--------------------------------------------------------------------------------